Privacy-preserving credentials for smartphones are coming

In modern life we constantly need credentials to verify our identity. There’s no credential more used—and abused—than the driver’s license. By “abused,” I mean in a broad sense: to use something for a secondary purpose for which it was not created. Driver’s licenses aren’t intended to verify your age when going to the bar or buying alcohol, and yet they are. In doing so, they reveal information irrelevant to the question of whether you are of age. Not only does a bouncer get to know your exact birthday, he also sees your home address.

Developers have been working for several years on a better way to design credentials. With COVID-19 and police surveillance now at the forefront of our political debates, it is time to bring this technology into the public conversation. The technology in question is privacy-preserving credentials hosted on smartphones, which have the potential to significantly improve privacy in cases where an individual needs to prove something like age or residence.

This technology has broad applications, including in the public-health domain. And as policymakers craft responses to the COVID-19 pandemic, it is crucial that privacy-preserving credentials are responsibly deployed.

What is the underlying problem?

Driver’s licenses have a primary purpose—showing that someone is authorized to drive an automobile. But our use of this document for other purposes leads to a number of secondary problems. What if that license is fake? What if it’s real and the bar’s bouncer just thinks it’s fake? What if that bouncer confiscates or destroys it? One’s license also leaks information that isn’t pertinent to age verification, like one’s home address. Even in the main secondary purpose, what we really want to know is that someone is an adult, not the specifics of their date of birth.

Some of these problems have mitigations. Many states issue ID cards that are not driver’s licenses but contain information like one’s date of birth. There are other credentials, such as passports, that don’t leak information like one’s home address, but have their own issues, including cost. Someone who does not commonly travel internationally may not want to pay for a passport just to show it to bartenders for age verification.

In the wake COVID-19, the workflow for verification represents another hurdle. Prior to the pandemic, I would give or show my ID to a bouncer, wait staff, or clerk and they’d look at it by hand, creating a possible vector for transmission. As we reopen, contactless scanning will be the norm. U.S. and Canadian licenses have a common two-dimensional barcode for all the information on the license. Dedicated scanners for licenses cost less than $150 at major online retailers. I found a free-to-download ($40/year for unlimited scans) smartphone app that scans my own license excellently, with automatic age verification and “bouncer mode” on by default.

This technology is likely to proliferate as economies reopen. You may be wondering, as I was, where the data from ID scanners is going. A scanner can do age checks without a network service; it only needs the current date to compute an age check. Some ID scanners undoubtedly will provide a service to upload and use that data. The app I downloaded was not at all clear as to what it does with the data collected. When I read its privacy policy, I could not tell what applied to me, the user of the app, and to barcodes I scan. It does send my location back to the app, at the very least, which could allow it to get scan data in states that don’t have privacy laws. Regardless, services collecting and selling this data is inevitable. What insurance company doesn’t want to know how often people are carded and for what?

Instead, what we’d really like to have is some sort of magic credential, a credential that could say, “over 21 and under 65” or “resident of Santa Clara County” without giving anything else away. That magic credential, implemented on smartphones and backed by some good privacy-preserving technology is on its way, starting to appear before the end of the year. This means it’ll be common in two to three years and ubiquitous in five to seven, based on normal upgrade patterns.

A workflow for such a magic credential might look like this: Tap a phone or scan a barcode at a distance to reveal “Over 21” and the person’s photo for manual matching—and nothing else.

Mobile device credentials

We have already taken some baby steps toward these magic credentials. Modern passports have embedded smart cards that can present information to a reader. Many credit cards are also tap-to-pay cards that use some of the same underlying technologies and standards. These cards have their own security and privacy issues, but they’re a start.

The credential systems are being built as an international standard, via the ISO 18013-5 and ISO 23220 standards groups. They take advantage of the power and security of modern smartphones to aid the issuer, the holder, and the verifier. (An excellent discussion of these standards can be found here.)

The programming frameworks for these mobile credentials are now part of Android Open Source and are expected to ship with Android 11, most likely in the fall of 2020. Note that specific apps for credentials are needed, and there isn’t a “credential app” that will be part of the operating system.

These frameworks and the apps they will spawn have a number of advantages over physical documents:

1. A physical credential is usually handed over to the verifier, leading to a number of risks, including that the verifier might seize or destroy the credential. Amid COVID-19, this is also a potential vector for the spread of disease. A mobile device credential can be verified at a distance, never leaving its owner’s hand, via optical readers, Near-Field Communications (the same used by tap cards), Bluetooth, or even WiFi.
2. Physical documents are relatively easily forged, but mobile device credentials use digital signatures to prove authenticity and are secure so long as the issuer keeps their signing key safe. It’s so hard to distinguish real documents from forged ones that there are many explainers on how to detect a fake document, as well as explainers on what to do if your real document is accused of being fake. Mobile device credentials go some way toward solving these problems.
3. All of the information on a physical credential is available to anyone who looks, but by digitizing a credential, the user has more control over what to reveal. When you hand over your driver’s license to get into a bar, there’s no way to minimize what the bouncer sees on the card. Mobile device credentials, on the other hand, permit the holder to decide what to release and the verifier to state what they need. Moreover, when we use a mobile device credential, the information we release is unlinkable. If you buy wine in three different grocery stores, none of them learn about you even if they collaborate, the issuer doesn’t learn about it, nor does any verification service.

These are all powerful reasons for why mobile device credentials can be a good thing, but the technology also has risks:

1. Handing over a document to someone else always comes with a risk, and there’s a bigger risk when we hand over our smartphone, which contains incredibly detailed data about our lives. While it’s perhaps easier to remember to keep one’s phone to oneself, it’s hard to resist coercion sometimes, especially when police are installing malware on phones. The developers of the Android system say they will completely lock the phone with no biometric unlock in a future release for added protection.
2. There is a similar risk in information disclosure. If, for example, a bar’s validator asks to verify that you are over 21 and for your home address, you don’t get to negotiate. You can give both or walk away from the transaction. Ultimately, addressing this class of issues will require some combination of user-experience work to make sure that people recognize when there’s a mismatch between what someone expects a transaction to be, and what it actually is. There are other potential risks, such as a vendor offering a discount for personal information.
3. This first generation of credentials are designed for in-person verification. The transactions always include a photo of the person, effectively stating something like, “the person in this photo is over 21.” Until recently, no one considered this to be an issue, but with the rise of services that do face recognition on arbitrary pictures, this is a risk, albeit one that is difficult to characterize exactly.

Future improvements

The first generation of mobile documents revolve around in-person verification. Unattended presentations, such as on the web, are left for the future. There are a number of use cases for it, such as being able to attest to a website that one is over a given age or residency for opening bank accounts.

There are obvious issues with these remote presentations, starting with the obvious: that someone could borrow someone else’s mobile device. On the other hand, the present workflow for age verification is nothing more than an interstitial page in which someone asserts that they are eligible. Nonetheless, using something like device biometrics to create a binding between a person and a device is an interesting, open problem.

Not just driver’s licenses

The initial work to implement mobile device credentials is ongoing. There are many ways to get this wrong, which means that some provider will. The ISO group is working hard to get other groups on the privacy-preserving bandwagon via the Secure Technology Alliance.

Since the architecture is open and standardized, there are plenty of other credentials that could create their own apps and back ends. Membership and loyalty cards, health insurance, and others could potentially use these systems.

Of course, with the COVID-19 pandemic continuing, there are potential public-health uses, as well. The most obvious application is as an immunity passport, which is a terrible idea. Immunity passports risk creating an incentive to getting infected and opening up discriminatory divides between those who have antibodies and those who do not, as the World Health Organization, the ACLU, and others have argued. What’s worse, the science on immunity remains so unsettled that it is unclear whether meaningful immunity from COVID-19 even exists. The privacy-preserving characteristics of smartphone credentials do nothing to mitigate these problems.

Nonetheless, there may be other uses for mobile credentials, such as tests that are part of a test, trace, and isolate public-health initiative. For example, consider someone who works in an assisted-care facility and gets tested regularly. The testing facility could issue a mobile credential along with test results directly to the worker with all information needed for proper accountability and privacy protections.

Since the underlying frameworks are not yet released and won’t be until (presumably) fall 2020, these are unlikely to be used outside of pilot tests in the immediate future. There is thus time to think about how these credentials could be part of a coronavirus public-health initiative.

Jon Callas is a senior technology fellow at the American Civil Liberties Union. A cryptographer and software engineer, he previously worked at Apple, where he helped design the encryption system to protect data stored on a Mac.